CVE patch for 5.1 (PVE-2025-76910)

[agalazis]

Security vulenrability for v5.1.3

Since 4.2 still LTS and last supported by v5.1 it would be ideal to have a patch for the following cve

What's wrong

https://data.safetycli.com/vulnerabilities/PVE-2025-76910/76910/

Affected versions of django-stubs are potentially vulnerable to Security Misconfiguration. The inclusion of type stubs for deprecated and insecure password hashers (MD5PasswordHasher, SHA1PasswordHasher, and CryptPasswordHasher) may inadvertently encourage their use in Django applications. This can lead to the storage of user passwords using weak hashing algorithms, making them susceptible to brute-force attacks.

Although the algorithms might not be used for storing passwords or anything critical:

1. Not everybody needs to dive to the internals to figure out
2. Extra effort is needed to deal with whitelisting the vulnerability

[sobolevn]

Maybe we can mark them as @deprecated 🤔
What other ideas do you have?

[adamchainz]

The linked page goes to https://github.com/typeddjango/django-stubs/pull/2537/files , where I removed the types for the hashers which were removed in Django.

There is no code left for them, so nothing to fix, right?

[agalazis]

The linked page goes to https://github.com/typeddjango/django-stubs/pull/2537/files , where I removed the types for the hashers which were removed in Django.

There is no code left for them, so nothing to fix, right?

Yes the request is for the fix to be ported to 5.1 (ie with a new 5.1.4 release) since people still use django 4.2